US10237257B2ActiveUtilityA1

Network service header used to relay authenticated session information

68
Assignee: CISCO TECH INCPriority: Feb 3, 2016Filed: Feb 3, 2016Granted: Mar 19, 2019
Est. expiryFeb 3, 2036(~9.6 yrs left)· nominal 20-yr term from priority
H04L 69/22H04L 63/164H04L 63/0884H04L 63/162H04L 67/141H04W 12/06H04L 63/08H04L 63/126H04L 67/02
68
PatentIndex Score
2
Cited by
33
References
18
Claims

Abstract

In one embodiment, a system, method, and computer program product are disclosed for authenticating a packet received from a client node, storing the results of the authentication in a cache memory of a service classifier node, and including the results of the authentication in a network service header of a packet before forwarding the packet to downstream service nodes. In one embodiment, the initial authentication is performed in conjunction with an authentication node.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 receiving a first packet at a service function classifier node in a service topology layer, wherein
 the service function classifier node comprises a cache, and 
 the first packet is received from a first client node in the service topology layer; 
 
 determining that a session has not been established for the first client node; 
 in response to determining that a session has not been established for the first client node, forwarding the first packet to an authentication node; 
 authenticating the first packet at the authentication node; 
 subsequent to authenticating the first packet, storing authentication information in the cache of the service function classifier node, wherein
 the storing is configured to allow the service function classifier node to authenticate a subsequent packet received from the first client node; 
 
 in response to authenticating the first packet, setting a value in a header of the first packet, wherein
 the value indicates that the first packet is authenticated in the service topology layer; and 
 
 forwarding the first packet to a first service node in the service topology layer, wherein the first service node is configured to perform a first service function, and 
 the first service node uses the value in the header to authenticate the first packet prior to performing the first service function. 
 
     
     
       2. The method of  claim 1 , further comprising:
 establishing a session related to the first client node, wherein
 the session comprises information about the first client node. 
 
 
     
     
       3. The method of  claim 2 , wherein the authenticating comprises
 determining whether a session has been established in the service topology layer for the first client node. 
 
     
     
       4. The method of  claim 3 , wherein the authenticating further comprises:
 in response to determining that the session has been established for the first client node, authenticating the first packet based, at least in part, on the information stored in the cache. 
 
     
     
       5. The method of  claim 1 , wherein the authenticating further comprises:
 in response to the forwarding the first packet to the authentication node, receiving an indication from the authentication node. 
 
     
     
       6. The method of  claim 1 , wherein the forwarding comprises:
 determining a service path associated with the first packet, wherein the determining is performed prior to the forwarding the first packet to the authentication node. 
 
     
     
       7. The method of  claim 1 , further comprising:
 subsequent to authenticating the first packet, receiving a second packet at the service function classifier node, wherein
 the second packet is received from the first client node; 
 
 authenticating the second packet by using the authentication information stored in the cache of the service function classifier node; and 
 subsequent to authenticating the second packet, forwarding the second packet to a second service node in the service topology layer. 
 
     
     
       8. A system comprising:
 a service function classifier node, wherein
 the service function classifier node comprises
 a first microprocessor, 
 a cache, and 
 a non-transitory computer-readable storage medium, comprising computer instructions executable by the first microprocessor, wherein the computer instructions are configured to perform a method comprising the steps of:
 receiving a first packet, wherein 
  the first packet is received from a first client node in a service topology layer, 
 determining that a session has not been established for the first client node, 
 in response to determining that a session has not been established for the first client node, forwarding the first packet to an authentication node, 
 authenticating the first packet at the authentication node, 
 subsequent to authenticating the first packet, storing authentication information in the cache of the service function classifier node, wherein 
  the storing is configured to allow the service function classifier node to authenticate a subsequent packet received from the first client node, 
 in response to authenticating the first packet, setting a value in a header of the first packet, wherein 
  the value indicates that the first packet is authenticated in the service topology layer, and 
 forwarding the first packet to a first service node in the service topology layer, wherein 
  the first service node is configured to perform a first service function, 
  the first service node uses the value in the header to authenticate the first packet prior to performing the first service function, and 
  the first service node comprises at least a second processor. 
 
 
 
 
     
     
       9. The system of  claim 8 , wherein the method further comprises:
 establishing a session related to the first client node, wherein
 the session comprises information about the first client node. 
 
 
     
     
       10. The system of  claim 9 , wherein the authenticating further comprises:
 determining whether a session has been established in the service topology layer for the first client node. 
 
     
     
       11. The system of  claim 10 , wherein the authenticating of the first packet further comprises:
 in response to determining that the session has been established for the first client node, authenticating the first packet based, at least in part, on the information stored in the cache. 
 
     
     
       12. The system of  claim 8 , wherein the authenticating further comprises:
 in response to forwarding the first packet to the authentication node, receiving an indication from the authentication node. 
 
     
     
       13. The system of  claim 8 , wherein the forwarding comprises:
 determining a service path associated with the first packet, wherein the determining is performed prior to the forwarding the first packet to the authentication node. 
 
     
     
       14. A non-transitory computer-readable storage medium comprising:
 a plurality of program instructions, comprising
 a first set of instructions, executable on a computer system, configured to
 receive a first packet at a service function classifier node, wherein
 the service function classifier node comprises a cache, and 
 the first packet is received from a first client node in a service topology layer, 
 
 determine that a session has not been established for the first client node, and 
 in response to determining that a session has not been established for the first client node, forward the first packet to an authentication node; 
 
 a second set of instructions, executable on the computer system, configured to
 authenticate the first packet at the authentication node, 
 subsequent to authenticating the first packet, storing authentication information in the cache of the service function classifier node, wherein
 the storing is configured to allow the service function classifier node to authenticate a subsequent packet received from the first client node; 
 
 in response to authenticating the first packet, set a value in a header of the first packet, wherein
 the value indicates that the first packet is authenticated in the service topology layer; and 
 
 
 a third set of instructions, executable on the computer system, configured to
 forward the first packet to a first service node in the service topology layer, wherein
 the first service node is configured to perform a first service function, and 
  the first service node uses the value in the header to authenticate the first packet prior to performing the first service function. 
 
 
 
 
     
     
       15. The non-transitory computer-readable storage medium of  claim 14 , wherein the plurality of program instructions further comprise:
 a fourth set of instructions, executable on the computer system, configured to
 establish a session related to the first client node, wherein
 the session comprises information about the first client node. 
 
 
 
     
     
       16. The non-transitory computer-readable storage medium of  claim 15 , wherein the second set of instructions is further configured to:
 determine whether a session has been established in the service topology layer for the first client node. 
 
     
     
       17. The non-transitory computer-readable storage medium of  claim 16 , wherein the second set of instructions is further configured to:
 in response to determining that the session has been established for the first client node, authenticate the first packet based, at least in part, on the information stored in the cache. 
 
     
     
       18. The non-transitory computer-readable storage medium of  claim 14 , wherein the first set of instructions is further configured to:
 in response to forwarding the first packet to the authentication node, receive an indication from the authentication node.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.